Permissions for secrets in initrd: Help!

I want to run wireguard in initrd. My config is very similar to the one in the wiki.

I have access to a tty shell in the initrd. I can see this error:

-bash-5.3# journalctl -b | grep -e "wg0"

Dec 15 18:03:59 myhost systemd-networkd[201]: wg0: Failed to read private key from '/etc/secrets/initrd/50-wg0.key', ignoring network device: Permission denied

I can confirm that the file /etc/secrets/initrd/50-wg0.key actually exists in the initrd.

-bash-5.3# ls -lisa /etc/secrets/initrd/

total 8

1568 0 drwxr-xr-x 2 root root   0 Dec 15 18:03 .

1567 0 drwxr-xr-x 3 root root   0 Dec 15 18:03 ..

1571 4 -rw------- 1 root root  45 Dec 15 18:03 50-wg0.key

1569 4 -rw------- 1 root root 411 Dec 15 18:03 ssh_host_ed25519_key

That’s why I believe it is a permission-related issue, kind of like over here, except that working in the initrd makes everything more complicated.

What’s the best way to fix this without starting to use a new system likes sops/age/…. ?

Any advice is appreciated.

So your file seems to be only readable by its owner, and the owner is root. I notice that systemd-networkd does not run as root, but rather as its own user, so I suspect this is probably why it can’t read the file.

that makes totally sense;

that makes multiple solutions possible, but I am not sure which makes most sense

• trying to change who is the owner of the file
• giving some extra permissions to the systemd-networkd user
• trying to put the key into some other path, instead of going through boot.initrd.secrets

I wonder what the canonical way is here

I’d say it depends on your threat/security model. For example, I’d probably just make the secret world readable because I’m rather lazy and because the secret is probably not managing anything important. Your threat model might be very different and cannot afford such lacking security.